Italian Prime Minister’s Decree on the cybersecurity incident notification procedures highlights criticalities in the lack of connection with the criminal code and shows the structural flaws of the legislation on the national cybersecurity perimeter. Changes are urgently needed to maintain the effectiveness of the rules and protect national security – by Andrea Monti, Adjunct Professor of Law of Public Order and Security, University of Chieti-Pescara – Originally published in Italian by Formiche.net
The second Italian Prime Ministry’s Decree (DPCM) implementing Law 133/19 on the protection of the national cybersecurity perimeter, which deals with incident notification procedures, has been approved by the chambers. Notwithstanding, it still carries legal and public policy criticalities that could undermine its effectiveness. It is not just a matter of legal technicalities, as this DPCM exposes the flaws in the design of the Decree Law 105/19 and its conversion into law that are the legal foundation upon which the DPCMs are built.
The public policy choices in the ‘DPCM Notifications’
A first policy issue, it the choice to exclude the Military from the recipients’ list of incident notifications. Article 3 of the draft DPCM states that the only one to receive notices is the Italian Computer Security Incident Response Team (CSIRT) and nobody else. This choice, made in a context in which the asymmetry of an undeclared and low-intensity conflict makes it difficult to distinguish an incident from a hostile act immediately, risks slowing down the ability to react in case of attacks by foreign powers.
Moreover, the ‘DPCM Notifications’ tacitly excludes the obligation to report incidents to the judicial authorities. Article 3 paragraphs IV, VI and VII, establishes, as a rule, the obligation to report to the CSIRT “unless the judicial authority proceeding has previously communicated the existence of specific needs of investigative secrecy”. In other words, the DPCM provides that, in addition to the Military, the Judicial Authority should not be informed “by default” of incidents occurring to critical infrastructures or those supporting the delivery of essential services.
Critical aspects of the exclusion of Military and Judicial Authorities from the flow of notifications
The choice to exclude the Military from the flow of notifications is exquisitely political and, as such, is shielded from legal criticism. However, some problems arise for the decision concerning the Judicial Authorities.
For reasons that would be too complex to analyse here, but which essentially relate to not giving national security a clear legal status, the regulation of information gathering for the State’s security is confused. The Law 124/07 regulating the intelligence prerogatives of the Prime Minister reiterated that the Judicial Authority has no jurisdiction in intelligence matters. Courts were involved only to grant the authorisation to access databases and preventive wiretapping. Simultaneously, however, the investigative and repressive components are exclusively entrusted to the courts, which will inevitably exercise their powers after a crime, a terrorist action or an hostile act have been committed. Consequently, the judicial authority should be part of the information flow on incidents within the cybersecurity perimeter. However, the ‘DPCM Notifications’ denied precisely this objective.
Why the judicial authority cannot be excluded from notifications
Attacks on (infra)structures within the perimeter are potentially criminal offences expressly punished by the Italian Criminal Law. Except, in fact, for the offence referred to in Article 1 paragraph XI of Law 133/19 (obstruction of testing activities and false information), both Law 133/19 and Legislative Decree 65/18 punish non-compliance with their requirements only with hefty (and of dubious constitutionality) administrative penalties. As a result, the only legal protection in critical infrastructures, services, and essential functions is that of the computer crimes of the Penal Code, whose definitions do not coincide with those of Legislative Decree 65/18 and Law 133/19.
Moreover, the concerned offences are prosecutable ex officio, so it is enough for the public prosecutor to be informed in any way to allow an investigation to start. Consequently, given that Article 361 of the Criminal Code requires public officials to report offences of which they become aware under their office, it is difficult to imagine, at least in areas other than private ones, that it would be possible to avoid automatically notifying not only the CSIRT but also the public prosecutor of an incident.
The DPCM, on the other hand, follows a different logic: notifications and further information are to be forwarded only to the CSIRT, and if the judiciary (possibly, but not necessarily, informed by another channel) were to express specific needs of secrecy, then this information would be excluded from the notification. A DPCM cannot establish such an exception. It has no legal power to ovverrule the law.
Consequently, and summarising, incidents affecting public facilities should, in any event, be the subject of a criminal complaint, and all information (despite the ‘prohibition’ of the DPCM) should be made available to the public prosecutor.
However, a different matter is that of private facilities that are critical or provide essential services. In this case, Article 361 of the Criminal Code would not apply, and therefore the obligation to report would be on the shoulders of the public official who becomes aware of the fact through the notification of the incident. That situation is also not easily manageable because, for example, members of the Dipartimento informazioni per la sicurezza – Department of information for the security (DIS) within the Prime Minister’s Office, are exempt from this obligation as they are not agents or officers of the judicial police, public security or military rank. However, it would be possible that within the CSIRT, there are persons who retain the status of public officials and who, as such, are still obliged to report.
Incident notifications and the Data Protection Authority
Another criticality in this process of incidente management is the role of the Data Protection Commissioner.
The Italian Network Information Security (NIS) legislative decree, indeed, includes the Authority among the obligatory recipients to be notified of incidents occurring to critical infrastructures. This legislative choice is questionable as there was no reason to confuse the protection of personal data with national security matters.
Art. 2 of the Legislative Decree 65/18 (enforcing in Italy the EU NIS directive) puts the NIS activity under the control of personal data regulations. It was unnecessary, as no Community law made this choice mandatory. Morover, at the very least, NIS Directive 18/1148 (art. 8 paragraph VI) allowed to provide for a mere consultative activity with the Authority for the Protection of Personal Data, to be activated whenever appropriate. Nothing more than that.
In other words, according to Directive 18/1148:
- it was neither mandatory nor necessary to submit the NIS activity to the control of the Guarantor of personal data,
- it is the NIS Authority that decides whether and when to refer the matter to the Italian Data Protection Commissioner, which has no autonomous powers in this respect,
the NIS Authority has the power to decide what information to share with the EDPS.
Conclusions and prospects for reform
Once again, the evanescence of the concept of national security shows its limits.
The information-gathering activity functional to the protection of the State’s interests has times and operational necessities that relate poorly with more ‘ordinary’ activities of the State.
In terms of a general theory, it is also evident that the executive power has and can have operative areas (temporarily) removed from the direct and immediate control of other components of the State apparatus.
Failure to explicitly address these operational needs has created a complex, confusing and therefore uncertain system. It would have been appropriate for Decree Law 105/19 to have addressed and resolved these problems by establishing some strong points such as:
- defining national security as the protection and prevention from the occurrence of internal and/or external actions, behaviours or events that harm and/or jeopardise national interests in the economic, scientific, technological and political fields, without prejudice to what is strictly the responsibility of the military Defence of the State and the protection of public order and security,
- declaring the processing of personal data carried out by public and private entities in the context of activities relating to the protection of critical infrastructures to be of fundamental public interest as essential for the protection of national security,
- allow the adoption of security measures, including preventive ones, to protect national security, public order and public safety, even when they indirectly allow the control of workers and of the instruments used for work performance, without allowing their use for disciplinary purposes,
- establish that data and information relating to incidents involving critical infrastructures and the persons referred to in Decree-Law 105/19 converted into Law 133/19 are covered by official secrecy and are not subject to communication or provision, except insofar as they are of interest to the judicial authorities in the cases provided for by law,
provide that the Data Protection Authority be consulted, at the sole discretion of the competent NIS authority, for any non-binding advisory opinions.
Several other amendments are necessary to strenghten the normative system of the national security and these suggestions are not enough to reach this goal. However they indeed represent elements which, if adopted, would begin to give “flesh and bones” to an entity which, still today, has the consistency of a legal ghost.